Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 4 additions & 13 deletions .github/workflows/vuln-scan.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
name: Vulnerability Scan

on:
release:
types: [published]
pull_request:
paths:
- 'cmd/**'
Expand All @@ -11,20 +13,9 @@ on:
- '.github/workflows/vuln-scan.yml'
- '.github/workflows/docker-release.yml'
- '.github/workflows/docker-snapshot.yml'
push:
branches:
- main
paths:
- 'cmd/**'
- 'internal/**'
- 'database/**'
- 'go.mod'
- 'go.sum'
- '.github/workflows/vuln-scan.yml'
- '.github/workflows/docker-release.yml'
- '.github/workflows/docker-snapshot.yml'
workflow_dispatch:
schedule:
- cron: '0 4 * * 1'
- cron: '0 4 */2 * *'

concurrency:
group: vuln-scan-${{ github.ref }}
Expand Down
2 changes: 1 addition & 1 deletion docu/security/SUPPLY_CHAIN_SECURITY.md
Original file line number Diff line number Diff line change
Expand Up @@ -121,7 +121,7 @@ Release workflow enforces semantic version parsing from the Git tag.
The repository provides a report-only Trivy workflow for continuous visibility.

- Repository filesystem scans (`scan-type: fs`) cover source and dependency manifests.
- Container image scans (`scan-type: image`) build and scan each service image on `push` to `main` and on scheduled runs.
- Container image scans (`scan-type: image`) build and scan each service image on scheduled runs.
- Findings are uploaded as SARIF.
- Current mode does not fail builds.
- Maintainers can later switch to fail on threshold (for example `HIGH,CRITICAL`) once baseline noise is reduced.
Expand Down